siliconindia

CIO Security Predictions: Top Three Trends Affecting Enterprise Risk

Author: Gaurav Agarwal
Country Manager, Tivoli Software, IBM India/South Asia.
Management

Cloud computing, service oriented architecture (SOA), and other rapidly emerging technologies are increasing the threats to data governance strategies. Knowing how the threats are changing is key to successful risk management planning - and critical to your bottom line.

In this new global reality of companies rushing to exploit the opportunities of SOAs, clouds, and other distributed models of computing, both determined outsiders and insiders may seek to exploit vulnerabilities. Consequently, the pervasiveness of these technologies marks a fundamental change in how organizations should approach the accompanying security challenges, especially the top three challenges identified by many organizations as being fundamentally important in the next year.

Identity

Every day billions of people are connecting to one another in the virtual world and therefore identity has taken on a new focus. Applications are no longer secured behind a firewall; they are becoming more and more composites and mash-ups created from sources inside and outside the enterprise. Transactions depend on the level of trust each party places in the other’s credentials and the systems supporting them. Yet, considering the rising instances of identity theft and fraud, it is clear that without instituting policies, processes, and best practices, trust can be misplaced, unauthorized, or uncertain.

In a SOA environment these concepts become more complex as identity is not limited to users alone. Often, services themselves must be given an identity. That is, when a service invokes another service, each service needs to take on an identity. For example, a shipping service may be automatically invoked by an order processing system, and that system must recognize the shipping service as a trusted identity, otherwise the order fails.

From order processing to healthcare authorizations and high-value banking operations, every business must treat SOA security with great care, and trust is the core principle driving these business operations. The ramifications of failed policies can reach all the way to the bottom line. Moreover, identity systems continue to proliferate, forcing individuals to become their own identity administrators, juggling a mixture of self-created and third-party issued identities for every service they interact with, and balancing the trade-offs between privacy and reputation that come with increased disclosure. Individuals must also have a common set of ‘operating procedures’ with which to navigate the new security landscape.

Going forward, the challenge lies in developing a common set of identity policies, processes, best practices, and technology as well as multipurpose identity systems that can be used across service providers. These systems should be able to accommodate complex identity relationships while providing a simplified way to address common identity.

Information Security

Already a boardroom issue, organizations can expect a continued push to minimize the risks of data breaches. As a result, there should be a new focus on privacy management tools with the capability to mask data, particularly in nonproduction environments such as application development where data protection continues to be less stringent. This can reinforce the need for cryptography, and subsequent demand to simplify the complexity.

Collectively, security practices — including data steward assignments, data monitoring, policy-based data classification, and security requirements records — should provide the metrics that calculate and reflect the security protections for a particular repository. These metrics can then be used in formulating ‘trust indexes’ that can guide decisions about the use of a data repository. A data repository with a high trust index association can be used for high-risk decisions; conversely, a repository with a low trust index association should be used only for low-risk activities. These repositories can be reused across the enterprise and applied to incoming information from a variety of sources, especially as mash-ups continue to be a driving force of innovation.

Application Security

In 2008, a new type of threat known as Search Engine Optimization (SEO) code injection or poisoning impacted around 1.2 million websites, including some very high-profile sites. As the dust settled from this exceptionally destructive threat, it became clear that applications had become ground zero for hacker attacks.

Part of the vulnerability lies in the evolution from monolithic applications to composite applications, both in SOA-style process choreography and through Web 2.0-style widgets and mash-ups. These composite applications can include application code from a wide variety of sources in a true mix-and-match fashion. Though it has tremendously improved programmer efficiency and enabled many non-programmers to compose sophisticated applications with little training, it can leave applications vulnerable.

Perhaps the most challenging aspect of composable applications is the inability of the application to fully understand the composition, and therefore the security posture, until the application is deployed. Only then — when it’s already too late — are all the contributing elements exposed, including malware and vulnerabilities. Security development expertise is now being embedded into the tools and development platforms so that security checks can be performed at each stage of development.

These security trends can also offer a wealth of opportunities for forward-acting companies. It’s how the risk is managed that will determine how an organization thrives, or fails, in the face of emerging technologies.
Previous  article
Next article
 
Write your comment now

Email    Password: 
Don't have SiliconIndia account? Sign up    Forgot your password? Reset
  Cancel
Reader's comments(1)
1: From: Mrs. Mary David

This mail may be a surprise to you because you did not give me the permission to do so and neither do you know me but before I tell you about myself I want you to please forgive me for sending this mail without your permission. I am writing this letter in confidence believing that if it is the will of God for you to help me and my family, God almighty will bless and reward you abundantly. I need an honest and trust worthy person like you to entrust this huge transfer project unto.

My name is Mrs. Mary David, The Branch Manager of a Financial Institution. I am a Ghanaian married with 3 kids. I am writing to solicit your assistance in the transfer of US$7,500,000.00 Dollars. This fund is the excess of what my branch in which I am the manager made as profit last year (i.e. 2010 financial year). I have already submitted an annual report for that year to my head office in Accra-Ghana as I have watched with keen interest as they will never know of this excess. I have since, placed this amount of US$7,500,000.00 Dollars on an Escrow Coded account without a beneficiary (Anonymous) to avoid trace.

As an officer of the bank, I cannot be directly connected to this money thus I am impelled to request for your assistance to receive this money into your bank account on my behalf. I agree that 40% of this money will be for you as a foreign partner, in respect to the provision of a foreign account, and 60% would be for me. I do need to stress that there are practically no risk involved in this. It's going to be a bank-to-bank transfer. All I need from you is to stand as the original depositor of this fund so that the fund can be transferred to your account.

If you accept this offer, I will appreciate your timely response to me. This is why and only reason why I contacted you, I am willing to go into partnership investment with you owing to your wealth of experience, So please if you are interested to assist on this venture kindly contact me back for a brief discussion on how to proceed.

All correspondence must be via my private E-mail (dmary4love1@yahoo.fr) for obvious security reasons.

Best regards,
Mrs. Mary David.
Posted by: mary lovely david - Monday 26th, September 2011
More articles
by Kaushal Mehta - Founder & CEO, Motif Inc..
The retail industry is witnessing an increased migration of customers from traditional brick and mortar retail to E-commerce (online retail)...more>>
by Samir Shah - CEO, Zephyr .
You probably do because you are on the phone with them! For all of you working in some technical management capacity here in Silicon Valley,...more>>
by Raj Karamchedu - Chief Operating Officer, Legend Silicon .
These days are a mixed bag for me. Of late I have been considering "doing something bigger and better," in my life, perhaps seriously though...more>>
by Madhavi Vuppalapati - CEO of Prithvi Information Solutions .
IT Services Rise of Tier II companies The Indian IT outsourcing industry is going through very exciting phase in its business life...more>>
by Bhaskar Bakthavatsalu- Country Manager, India and SAARC of Check Point Software Technologies.
Data loss occurs every day through corporate email. In fact, given the sheer number of emails an organization sends every day, data loss inc...more>>